Cybersecurity Drill: Lessons LearnedHealthcare Needs to Improve Information Sharing
A recent inaugural healthcare cybersecurity drill offers a number lessons, including that many organizations need to improve processing cyberthreat intelligence and sharing that information both internally and externally.
The drill, dubbed CyberRX, was conducted on April 1 by the Department of Health and Human Services and the Health Information Trust Alliance, or HITRUST, best known for establishing the Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information. Consulting firm Booz Allen Hamilton served as the "observer" of the drill.
A second CyberRX drill is planned for summer (see HHS CISO on Healthcare Cybersecurity).
Beyond needing to improve sharing information within their internal IT teams, the drill showed that organizations varied widely in their preparedness to communicate and share cyberthreat information with other internal departments, including legal, privacy, clinical and business operations, as well as external business partners, says Jim Koenig, principal and global leader for commercial privacy, cybersecurity and incident response for health at Booz Allen Hamilton. His comments came during an April 21 HITRUST media briefing.
Although organizations want the freedom to collaborate during a crisis, Koenig says, many feel a "chill" of potential legal restrictions that prevent them from sharing cyberthreat intelligence across the healthcare ecosystem or uncertainty about when to engage law enforcement, he says.
The four cybersecurity exercises conducted over a seven-hour period included an exercise involving a "compromised" medical device and also a simulated attack involving a state health insurance exchange connected to the HHS' HealthCare.gov federally facilitated insurance marketplace, says Kevin Charest, CISO of HHS.
Other participants in the CyberRX exercise included: athenahealth, Children's Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group and WellPoint.
The exercises revealed that the biggest cybersecurity weakness within the healthcare sector is not related to the industry's technology implementations, but rather its ability "to coordinate and collaborate cybersecurity information among a myriad of healthcare companies that include smaller providers, diagnosis centers, medical device makers, hospital systems to payers," says Roy Mellinger, vice president of IT security and CISO at healthcare insurer Wellpoint.
The drill also revealed that smaller organizations, in particular, that often don't have deep internal cybersecurity resources or collaborative expertise rely more heavily on guidance that's available from other organizations, such as HHS or HITRUST, he noted.
Among actions that HITRUST is taking after the first CyberRX exercise is enhancing its Cyber Threat Intelligence and Incident Coordination Center, or C3Portal, with additional tools, including some designed to help better facilitate collaboration among organizations supporting incident response, says HITRUST CEO Daniel Nutkis.
The importance of cyberthreat information sharing was illustrated in recent weeks by the announcement of the Heartbleed bug, Mellinger says.
HITRUST issued an industry cyber-alert listing companies affected by the OpenSSL vulnerability and where software patches were available to address the issues, Nutkis notes.
In other Heartbeed-related developments, Charest explained at the briefing why HHS issued a notice on HealthCare.gov, the website for the federally facilitated health insurance marketplace under the Affordable Care Act, instructing consumers to change their passwords.
The notice on the HealthCare.gov site says, "HealthCare.gov uses many layers of protections to secure your information. While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution."
The move came as "a precaution," Charest says (see HealthCare.gov: Change Passwords). "We followed the prescribed best practice as an abundance of precaution," he says. Passwords on HealthCare.gov have been invalidated and consumers will need to reset new passwords by answering "challenge questions," he says.
In a statement provided to Information Security Media Group the morning of April 21, Charest said, "There has been no effect from Heartbleed for HealthCare.gov. This is simply following the best practices established, which include a number of steps such as patching, reinstalling encryption keys, and end user password resets."
Charest notes that while Akamai, a provider of content to HealthCare.gov, has had to address its own OpenSSL issues as a result of the Heartbleed bug, OpenSSL is not used on HealthCare.gov.